XiaoBa
XiaoBa is a ransomware that runs on Microsoft Windows. It was discovered by MalwareHunterTeam. It is aimed at Chinese users. Payload Transmission XiaoBa is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection During it's preparation stage, XiaoBa will clear Shadow Volume Copies, clear event logs, and disable the Windows automatic repair by executing the following commands: vssadmin.exe delete shadows /all /quiet WMIC shadowcopy delete wevtutil.exe cl Application wevtutil.exe cl Security wevtutil.exe cl System Bcdedit.exe /set {default} recoveryenabled no Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures XiaoBa encrypts the victim's files using a strong encryption algorithm. It seems that XiaoBa has several layers of obfuscation and uses compromised websites as Command and Control servers to hide its activities from PC security researchers. Many encryption ransomware Trojans mark the victim's files with custom extensions after an attack. XiaoBa will use numerous extensions to mark the victim's files, with numbers from '.XiaoBa1' to '.XiaoBa34.' XiaoBa will encrypt the targeted files and rename these files to add a file extension to the end of the affected file, which is the string '.XiaoBa' followed by a number from 1 to 34. XiaoBa targets the user-generated files while avoiding the Windows system files. This is because threats like XiaoBa need Windows to continue to function after the attack so that the victim can carry out the ransom payment. A few examples of the files types that XiaoBa targets in its attack are: .3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2. XiaoBa will change the infected computer's desktop image and drop three files, named as decryptor, '_@XiaoBa@_.bmp' and '_@Explanation@_.hta' after encrypting the victim's files. XiaoBa's new desktop image features XiaoBa's ransom note, written in Chinese. The translation of XiaoBa's ransom note reads: Warning! Encrypted files! All files are encrypted using the RSA-2048 AES-128 algorithm Please don't try to crack, because you might corrupt the files Only our decryptor can help you If you see this wallpaper but do not see "XiaoBa" window, then your anti-virus software removed this decryption software. If you want your files you need the program Please find the decryption program or recover it from the anti-virus software Run the decryption program and follow the instructions Please send about 1,200 yuan = 180.81 $ worth of Bitcoin to the specified address Bitcoin currency wallet: 1GoD72v5gDyWxgPuBph7zQwvR6bFZyZnrB For more information click on _@Explanation@_.hta Email: B32588601@163.com' Category:Win32 ransomware Category:Ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan